CVE-2020-10189
CVE-2020-10189
In short
Zoho ManageEngine Desktop Central versions before 10.0.474 have a critical flaw where attackers can execute arbitrary code on the server by sending specially crafted requests that exploit unsafe data deserialization. This allows complete compromise of the affected system without authentication.
Technical detail
A deserialization vulnerability in the FileStorage class's getChartImage method allows unauthenticated remote code execution via CewolfServlet and MDMLogUploaderServlet endpoints. Attackers can craft malicious serialized Java objects that execute arbitrary code when deserialized, resulting in full system compromise with CVSS 9.8.
Summary generated and translated by AI from the official description.
Zoho ManageEngine Desktop Central before 10.0.474 allows remote code execution because of deserialization of untrusted data in getChartImage in the FileStorage class. This is related to the CewolfServlet and MDMLogUploaderServlet servlets.
CVSS:3.0/AC:L/AV:N/A:H/C:H/I:H/PR:N/S:U/UI:N
Affected products
n/a · n/apublic PoCs found — 3
githubgithub.com/zavke/CVE-2020-10189-ManageEngine★ 3cve_referencepacketstormsecurity.com/files/156730/ManageEngine-Desktop-Central-Java-Deserialization.htmlunverifiedexploitdbwww.exploit-db.com/exploits/48224unverified⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.
Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
http://packetstormsecurity.com/files/156730/ManageEngine-Desktop-Central-Java-Deserialization.htmlhttps://cwe.mitre.org/data/definitions/502.htmlhttps://srcincite.io/advisories/src-2020-0011/https://srcincite.io/pocs/src-2020-0011.py.txthttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-10189https://www.manageengine.com/products/desktop-central/remote-code-execution-vulnerability.htmlhttps://www.zdnet.com/article/zoho-zero-day-published-on-twitter/